Jim started his talk by referring to the “colourful” history of the future of biometrics, which appealed to my current obsession with paleo-futures at the CSFI, and made a couple of points that I think are worth opening up for discussion here. First of all, he made the key point that biometrics doesn’t solve the problem of identification but once you have identified someone then you can use biometrics to link them to that identity. Biometrics is easy, identification isn’t, and biometrics do not guarantee the validity of non-biometric data in database (this is why I keep promoting the “biometric only” plan from the UK National Identity Register). Secondly, he made me reflect on the difference between schemes where the “users” care about multiple uses or not. So, if I have a season ticket for the London underground, I don’t care about my brother using it on the days that I’m not. But I don’t want him using my credit cards on days that I do not. So why would you need a biometric for a bank card? Good point. I think that the answer is that if we want to use cards for larger transactions then we can’t use PINs because PINs are too easily snaffled, but I’m going to think some more about this and post in the future.
One issue that came up was where the readers for the UK’s ID cards might come from, since there are currently none in service. But this led me to reflect on another of Peter Hawks’ points, which was that chips for fingerprint recognition can now be added to laptops and, you guessed it, mobile phones. Incidentally, Peter was kind enough to point to some of my writing on the synergy between mobile phones and speech biometrics as a nexus for advance in the future, which I greatly appreciated
The idea that a key device for making biometrics useful in the mass market might well be the mobile phone is actually quite widespread and in one particular mode, which is doing one-to-one matches between biometric templates and stored templates in secure devices (let’s call them SIM cards for the time being) in a distributed fashion, a plausible trajectory for enhanced identification and authentication services. Consider, for example, the rather convenient use case of a contactless smart card and a biometric reader: you walk up to a door, put your finger on a scanner, then wave your card over the reader, the door beeps and in you go. Could this work? Yes, and NIST did tests on this a year ago that showed it to be practical.
The NIST tests addressed two outstanding questions associated with match-on-cards. The first was whether the smart cards’ electronic “keys” can keep the wireless data transmissions between the fingerprint reader and the cards secure and execute the match operation all within a time budget of 2.5 seconds. The second question was whether the “match-on-card” operation will produce as few false acceptance and false rejection decisions as traditional match-off-card schemes where more computational power is available. The researchers found that 10 cards with a standard 128-byte-long key and seven cards that use a more secure 256-byte key passed the security and timing test using wireless. On the accuracy side, one team met the criteria set by NIST and two others missed narrowly. The computer scientists plan a new round of tests soon to allow wider participation.[From Dr. Dobb’s | On-card Fingerprint Matching | April 1, 2008]
If we take the same kind of technology and move it into the mobile environment, we can easily imagine using an NFC-equipped mobile phone for both logical and physical access control, and other applications beside. And it’s not only in Japan where this kind of technology is being tried out.
The Kyocera cell phones were used in a mobile payments trial conducted by Cellular South… cell phone users were able to access payment cards using their fingerprints. According to Cellular South, 87% of testers that participated in the trial are interested in using the mobile payment technology once it’s available for commercial use. Other testers found the technology convenient to use and an innovative method for making everyday payments and purchases.[From Cossacks Breaking News » Companies Test Fingerprint Recognition For Mobile Payments]
There is one big drawback at present. The technology is 99% reliable, which unfortunately is as useful as a contraceptive pill that is 99% reliable (so you only get pregnant once a year). In other words, not quite ready from prime time! This was clearly demonstrated at the recent launch of a new Fujitsu handset for DoCoMo in Japan.
During the 505i launch event on Tuesday, Takeshi Natsuno was on stage to demonstrate the F505i’s capabilities – including the fingerprint reader used to authenticate access to the phone’s address book, mail, picture store, and scheduler. When Natsuno applied his finger onto the reader platen glass (located at the bottom of the phone), **nothing happened!** “OK – we’ll try that later,” he added somewhat sheepishly, after waiting for some 30 seconds..[From 505i Launch Event: DoCoMo Finger Scanner Boo-Boo with Fujitsu Celly by Wireless Watch Japan]
This, it seems to me, is a common experience with biometric laptops, USB sticks and the like. It works most of the time, but when your boss is standing over you desperate from some document on your laptop, it doesn’t.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]